Systems and Methods for Detecting Obfuscated Malware
First Claim
1. A computer-implemented method for malware detection, the method comprising:
- loading at least a portion of a software code into a system memory;
converting the loaded software code into a low-level programming language;
simplifying complex instructions in the converted code into basic instructions;
constructing a data flow model of the simplified software code;
analyzing dependencies and interrelations of code elements of the data flow model to identify obfuscated software codes therein;
optimizing one or more identified obfuscated codes in the data flow model; and
determining based on results of optimization whether the software code is malicious.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are systems, methods and computer program products for efficient and reliable analysis, optimization and detection of obfuscated malware. One disclosed example method for malware detection includes loading an executable software code on a computer system and disassembling the software code into an assembly language or other low-level programming language. The method then proceeds to simplifying complex assembly instructions and constructing a data flow model of the simplified software code. The dependencies and interrelations of code elements of the data flow model are analyzed to identify obfuscated software codes therein. The identified obfuscated codes are then optimized. Based on the results of optimization, determination is made whether the software code is malicious and/or whether further antimalware analysis of the optimized software code is necessary.
-
Citations
20 Claims
-
1. A computer-implemented method for malware detection, the method comprising:
-
loading at least a portion of a software code into a system memory; converting the loaded software code into a low-level programming language; simplifying complex instructions in the converted code into basic instructions; constructing a data flow model of the simplified software code; analyzing dependencies and interrelations of code elements of the data flow model to identify obfuscated software codes therein; optimizing one or more identified obfuscated codes in the data flow model; and determining based on results of optimization whether the software code is malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for malware detection, the system comprising:
-
a system memory for storing a computer-executable software code; and a processor configured to load at least a portion of the executable software code into the system memory; convert the loaded software code into a low-level programming language; simplify complex instructions in the converted code into basic instructions; construct a data flow model of the simplified software code; analyze dependencies and interrelations of code elements of the data flow model to identify obfuscated software code therein; optimize one or more identified obfuscated codes in the data flow model; and determine based on results of optimization whether the software code is malicious. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method for malware detection, the method comprising:
-
loading at least a portion of a software code into a system memory; converting the loaded software code into a low-level programming language; simplifying complex instructions in the converted code into basic instructions; analyzing dependencies and interrelations between the instructions in the simplified software code to identify obfuscated software codes therein; optimizing one or more identified obfuscated codes in the simplified software code; and analyzing the optimized software code using signature matching or heuristic analysis malware detection technique to determine whether the software code is malicious. - View Dependent Claims (17, 18, 19, 20)
-
Specification